{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/cache` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/953"}, "properties": {"repository": "poteto/hiring-without-whiteboards", "repoUrl": "https://github.com/poteto/hiring-without-whiteboards", "branch": "main"}, "results": [{"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 89511, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 89516, "scanner": "repobility-supply-chain", "fingerprint": "21aef75111af436f1e012691590f6d052f6d2b49bdcbb5aad8a976462222e68d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21aef75111af436f1e012691590f6d052f6d2b49bdcbb5aad8a976462222e68d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `lycheeverse/lychee-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 89515, "scanner": "repobility-supply-chain", "fingerprint": "70f0d54809ccebc201e0d9145687f6d094cd78f6084ad88d027c9b53d2e3086d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70f0d54809ccebc201e0d9145687f6d094cd78f6084ad88d027c9b53d2e3086d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 89514, "scanner": "repobility-supply-chain", "fingerprint": "e9578b461916e2bbca9f48b61281316c208586e55ea99678106e971e54dcdeba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9578b461916e2bbca9f48b61281316c208586e55ea99678106e971e54dcdeba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 89513, "scanner": "repobility-supply-chain", "fingerprint": "5b051c2e381d343d51f9a91e7974001fddb9c51e8ef2c25643f792e37fe5d854", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b051c2e381d343d51f9a91e7974001fddb9c51e8ef2c25643f792e37fe5d854"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 89512, "scanner": "repobility-supply-chain", "fingerprint": "91226c3870295edabea811fbd6196a0772e39c6750dcbb3fec0057a1d1b7cbfe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|91226c3870295edabea811fbd6196a0772e39c6750dcbb3fec0057a1d1b7cbfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js.yml"}, "region": {"startLine": 13}}}]}]}]}